Data Controller and Data Processor Contracts – Part Two

David Fagan

Business Legal

In the fourth video of this series, David Fagan of Business Legal examines the contractual level of control that may be required to effectively manage and control data in instances when an organisation outsources the processing of its data. David considers the implications of limiting a contract with a Data Processor to comply with basic legal requirements.

* Want to know how you can train everyone in your organisation on Data Protection, in just a few simple steps? Legal-Island offer a Data Protection Elearning training solution, specific to organisations in Ireland. Please contact a member of our eLearning team on 01 4013874 or elearning@legal-island.com to find out more.

Some practical thoughts on what you might consider having in your Controller-Processor Contract if you are the data controller. That is the person that owns the data and is outsourcing that data to some other party to process.

Well, you probably want to stitch into that contract an obligation to comply with the Data Protection Commissioner. You probably want to expressly state that the data may only be processed in accordance with your requirements in order to fulfil the contractual obligations of the contract. You probably want the data processor to provide you with assistance and notification when there are data subject access requests.

Consider a situation where you don't stitch something like that into a contract and a request comes in from a data subject that is perhaps a staff member, and he is looking for some data from you, but that data is in the possession of the data processor. I'm sure the data processor will give you that data on request but if it's not part of your contract, why should it do so for free?

Perhaps there may be an additional, possibly substantial, charge for the data processor providing you with that data. If you are subject to a data access request you have no choice but to comply with that access request, and in those circumstances you may not be in the best-off of negotiating positions with the data processor, if you've not agreed the rate for this beforehand.

You may want to make sure that the data processor destroys the personal data at the end of the contract or returns it to you, and you may want to specifically set out the format in which that data is returned to you. For instance, if you have given your data to a data processor and they've processed the dues in their proprietary systems, you might find that in order to properly access that data, you might need access to their proprietary systems, perhaps in a particular file format.

It's much more difficult to try and deal with this issue at the end of the contract when the processor may have no commercial reason to agree reasonable terms with you, and perhaps maybe try to extract as much payment from you in the end as possible.

Much easier to deal with this at the start of the relationship when it is in the clear commercial interest of the data processor to agree to handover the data in a format that is not proprietary, or to give you access to their proprietary format.

You may wish to stitch into the contract how exactly data transfers across jurisdictions are to be handled, or how any contracts with subcontractors are to be handled. You may wish (although it's unlikely in most cases that you'll get this) but you may wish to be indemnified against breaches occurring in the data processor's care or control.

You remain liable for those breaches so again you may, if you're in a strong, negotiating and bargaining position, wish to require the data processor to indemnify you against any breaches which are their fault.

This article is correct at 30/05/2017

Disclaimer:

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.